hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Zhuge (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14083) KMS should support old SSL clients
Date Sun, 19 Feb 2017 10:15:44 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

John Zhuge updated HADOOP-14083:
    Attachment: HADOOP-14083.branch-2.002.patch

Patch branch-2.002
- Use file catalina.properties to transfer KMS properties instead of env CATALINA_OPTS
- Create catalina-default.properties to store default Tomcat properties
- Update doc

- Discuss Allen's idea of strong security by default

Follow up in a new JIRA
- Refactor KMS scripts based on catalina.properties technique

Testing done
- Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/kms.bats in insecure and SSL
single node setup
- Run sslscan to verify ciphers in the following test cases:
    -- No KMS_SSL_CIPHERS, to allow KMS default ciphers
    -- KMS_SSL_CIPHERS=“TLS_RSA_WITH_AES_128_CBC_SHA256“, to allow this cipher only

> KMS should support old SSL clients
> ----------------------------------
>                 Key: HADOOP-14083
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14083
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.8.0, 2.7.4, 2.6.6
>            Reporter: John Zhuge
>            Assignee: John Zhuge
>            Priority: Minor
>         Attachments: HADOOP-14083.branch-2.001.patch, HADOOP-14083.branch-2.002.patch
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL clients such
as curl stop working. The symptom is {{NSS error -12286}} when running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to explicitly
allow enough weak ciphers so that old SSL clients can work.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message